The Internet provides access to various pieces of information, applications, services, and the like for publishing information. Today, the Internet has significantly changed the way we access and use information. The Internet allows users to quickly and easily access services such as banking, e-commerce, e-trading, and other services people use in their daily lives.
In order to access such services, a user often shares his or her personal information such as name; contact details; highly confidential information such as usernames, passwords, bank account numbers, and credit card details; and so on with service providers. Similarly, confidential information of companies such as trade secrets, financial details, employee details, company strategies, and the like are also stored on servers that are connected to the Internet. There is a threat that confidential and/or personal information will be accessed by hackers using unauthorized access methods. Specifically, such unauthorized access methods may include, for example, using malware, viruses, spyware, key loggers, compromised remote desktop services, and the like.
Recently, the frequency and complexity level of attacks has increased with respect to attacks performed against all organizations including, but not limited to, cloud providers, enterprise organizations, and network carriers. Some complex attacks, known as multi-vector attack campaigns, utilize different types of attack techniques to identify weaknesses in the target network and/or application resources. Identified weaknesses can be exploited to achieve the attack's goals, thereby compromising the entire security framework of the network.
One example of a multi-vector attack campaign is an advanced persistent threat (APT). An APT is an attack in which an unauthorized hacker gains access to a network and remains undetected for a long period of time. Due to the complexity of multi-vector attack campaigns, such attacks are frequently successful and go undetected by current security solutions. This is due to the fact that current security solutions are not sufficiently agile and adaptive with respect to detection, investigation, and mitigation of resources needed to meet such evolving threats. Specifically, current security solutions cannot easily and promptly adapt to detect and mitigate new attack behavior or attacks that change their behavior in a significant manner in order to bypass the security.
In addition, security solutions and, in particular, solutions for APT attacks, do not provide reliable automatic decision-making capabilities. Typically, security solutions are not designed for both detection and automatic decision-making. In addition, system administrators do not trust currently available security solutions' designed to mitigate complex attacks due, in part, to the high level of false positive alerts generated by such systems because of inaccurate mitigation control. As a result of such false positive alerts, system administrators often manually perform decision-making processes rather than permit automatic decision-making, which usually increases the time needed to mitigate attacks. As such, current solutions cannot predict potential risks such as future activities that are associated with pre-attack intelligence gathering, malware propagation, data breach, and exfiltration of data. Current solutions also suffer from a lack of situational awareness of the main risks and loss potential that attacks can impose on a business.
Furthermore, due to the lack of automatic decision-making, remediation and/or mitigation actions are not well defined and prioritized, thereby resulting in inefficient utilization of security resources such as investigation resources and mitigation resources. Specifically, mitigation actions cannot be automatically activated in advance in order to protect the victims from future exploitation attempts, protect before a protected object is victimized or exploited. Current solutions do not even offer an advance or proactive mitigation when a mitigation action is executed against the attacker. For example, if an attacker carries out an ATP attack against a specific target and such an attack is detected and mitigated, current solutions are not designed to automatically and proactively mitigate propagation of the attack against other targets. Thus, current solutions are limited in the defense that they can provide to protected objects and are further limited in their ability to block the expansion of cyber-threats, and particularly of multi-vector attack campaigns (e.g. APTs).
It would therefore be advantageous to provide a security solution that would at least overcome the deficiencies noted above.